Blame - poky/meta/recipes-core/meta/cve-update-db.bb - openbmc/openbmc

blob: 522fd23807475aab2c0c636e78097482b16ad4b5 [file] [log] [blame]

Brad Bishop	f3fd288	2019-06-21 08:06:37 -0400	[diff] [blame^]	1	SUMMARY = "Updates the NVD CVE database"
				2	LICENSE = "MIT"
				3
				4	INHIBIT_DEFAULT_DEPS = "1"
				5	PACKAGES = ""
				6
				7	inherit nopackages
				8
				9	deltask do_fetch
				10	deltask do_unpack
				11	deltask do_patch
				12	deltask do_configure
				13	deltask do_compile
				14	deltask do_install
				15	deltask do_populate_sysroot
				16
				17	python do_populate_cve_db() {
				18	"""
				19	Update NVD database with json data feed
				20	"""
				21
				22	import sqlite3, urllib3, shutil, gzip, re
				23	from datetime import date
				24
				25	BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-"
				26	YEAR_START = 2002
				27	JSON_TMPFILE = d.getVar("CVE_CHECK_DB_DIR") + '/nvd.json.gz'
				28
				29	# Connect to database
				30	db_file = d.getVar("CVE_CHECK_DB_FILE")
				31	conn = sqlite3.connect(db_file)
				32	c = conn.cursor()
				33
				34	initialize_db(c)
				35
				36	http = urllib3.PoolManager()
				37
				38	for year in range(YEAR_START, date.today().year + 1):
				39	year_url = BASE_URL + str(year)
				40	meta_url = year_url + ".meta"
				41	json_url = year_url + ".json.gz"
				42
				43	# Retrieve meta last modified date
				44	with http.request('GET', meta_url, preload_content=False) as r:
				45	date_line = str(r.data.splitlines()[0])
				46	last_modified = re.search('lastModifiedDate:(.*)', date_line).group(1)
				47
				48	# Compare with current db last modified date
				49	c.execute("select DATE from META where YEAR = '%d'" % year)
				50	meta = c.fetchone()
				51	if not meta or meta[0] != last_modified:
				52	# Update db with current year json file
				53	with http.request('GET', json_url, preload_content=False) as r, open(JSON_TMPFILE, 'wb') as tmpfile:
				54	shutil.copyfileobj(r, tmpfile)
				55	with gzip.open(JSON_TMPFILE, 'rt') as jsonfile:
				56	update_db(c, jsonfile)
				57	c.execute("insert or replace into META values (?, ?)",
				58	[year, last_modified])
				59
				60	conn.commit()
				61	conn.close()
				62
				63	with open(d.getVar("CVE_CHECK_TMP_FILE"), 'a'):
				64	os.utime(d.getVar("CVE_CHECK_TMP_FILE"), None)
				65	}
				66
				67	# DJB2 hash algorithm
				68	def hash_djb2(s):
				69	hash = 5381
				70	for x in s:
				71	hash = (( hash << 5) + hash) + ord(x)
				72
				73	return hash & 0xFFFFFFFF
				74
				75	def initialize_db(c):
				76	c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
				77	c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
				78	SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
				79	c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (HASH INTEGER UNIQUE, ID TEXT, \
				80	VENDOR TEXT, PRODUCT TEXT, VERSION TEXT, OPERATOR TEXT)")
				81	c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_IDX ON PRODUCTS \
				82	(PRODUCT, VERSION)")
				83
				84	def update_db(c, json_filename):
				85	import json
				86	root = json.load(json_filename)
				87
				88	for elt in root['CVE_Items']:
				89	if not elt['impact']:
				90	continue
				91
				92	cveId = elt['cve']['CVE_data_meta']['ID']
				93	cveDesc = elt['cve']['description']['description_data'][0]['value']
				94	date = elt['lastModifiedDate']
				95	accessVector = elt['impact']['baseMetricV2']['cvssV2']['accessVector']
				96	cvssv2 = elt['impact']['baseMetricV2']['cvssV2']['baseScore']
				97
				98	try:
				99	cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore']
				100	except:
				101	cvssv3 = 0.0
				102
				103	c.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
				104	[cveId, cveDesc, cvssv2, cvssv3, date, accessVector])
				105
				106	for vendor in elt['cve']['affects']['vendor']['vendor_data']:
				107	for product in vendor['product']['product_data']:
				108	for version in product['version']['version_data']:
				109	product_str = cveId+vendor['vendor_name']+product['product_name']+version['version_value']
				110	hashstr = hash_djb2(product_str)
				111	c.execute("insert or replace into PRODUCTS values (?, ?, ?, ?, ?, ?)",
				112	[ hashstr, cveId, vendor['vendor_name'],
				113	product['product_name'], version['version_value'],
				114	version['version_affected']])
				115
				116
				117
				118	addtask do_populate_cve_db before do_cve_check
				119	do_populate_cve_db[nostamp] = "1"
				120
				121	EXCLUDE_FROM_WORLD = "1"